Comments on: On Compliance

by: Chandler Howell

Fri, 20 Jun 2008 17:21:16 +0000

no worries. The criticism would be of the delivery, not the content, and I’ll be the first one to agree that sometimes, it just sneaks out.

by: Alex

Fri, 20 Jun 2008 15:00:11 +0000

Yeah, it just hit me wrong. I get too much coffee, I’m in a bad mood, read something that I’m passionate about and BOOM I write something like that :)

Apologies for the dogmatic comments…

by: Chandler Howell

Thu, 19 Jun 2008 19:52:55 +0000

It would appear that some would think I’m too kind in responding to my critics… ;-)

by: Alex

Thu, 19 Jun 2008 18:49:21 +0000

Not trying to be antagonistic or snarky here, but:

“I still want to know what are the baselines, the metrics, and the guiding standards for Information Risk Management. IRM points to directly the security standards and baselines like ISO 27001.”

NO.

No, no, no, no, no, no, no, no, no. no.

Not even close.

“Baselines” like ISO 27001 or any other ISMS have very little to do with actual “management by and of, risk”. In other words:

1.) An ISMS is not an IRMS (Information Risk Management System - if such a thing exists - and please don’t point me to SABSA as an example).

2.) Much of what various ISMS frameworks call “Risk Management” is actually a heightened vulnerability management cycle.

3.) Managing discrete tactical issues is not, can not, be the sum total of what management by and of, risk, *is*.

Finally, the metrics of risk have to do with *expressing the value* of being at some state of “secure” - and not just the measurement of “how secure” itself.